Lab Description:

In this lab, you will explore how attackers can exploit misconfigurations in the AWS cloud to collect details, perform reconnaissance, and exfiltrate data. You will learn to identify and exploit common vulnerabilities, such as overly permissive IAM roles and public S3 buckets. From the defender’s perspective, you will use AWS CloudTrail, S3 access logs, and EC2 images to detect suspicious activities and unauthorized access. Through practical exercises, you will gain hands-on experience in both attacking and defending cloud environments, ultimately learning best practices for continuous monitoring and incident response in AWS.

Lab Objectives:

• Exercise 1: Discover the initial misconfiguration that led to the compromise of the AWS environment.
• Exercise 2: Trace an attacker’s steps using CloudTrail and system logs to identify key indicators of compromise.
• Exercise 3: Analyze S3 access logs to detect unauthorized data access.
• Exercise 4: Perform a forensic analysis of a compromised EC2 instance using snapshots and AMIs.
• Exercise 5: What remediation measures can be implemented for securing the AWS environment.

Tools and Techniques:

• Disk Forensic: FTK Imager, Sleuth Kit
• Log Analysis : Any Preferred Tool or SIEM

Lab Evidence:

You will get access to all the evidence collected from the breached server & AWS logs.

Password: threatbreach.io

Download any one of them either vmdk or 7z [ contains dd ], if vmdk is downloaded convert them into dd using below command ⏬

qemu-img convert -f vmdk -O raw /Path/To/Disk_Image.vmdk /Path/To/Disk_Image.dd

Writeup

Writeup will be published soon, If you want to send your writeup to be evaluated share it on labs[@]threatbreach.io